A data subject is…
an individual about whom personal data is processed
A data controller is…
an organisation or individual that decides how and why personal data is processed. (Has the relationship with the individual)
‘natural or legal person, public authority, agency or other body who, alone or jointly with others, determines the purposes and means of the processing’
Obligations:
- Allowing individuals to exercise rights to access their information.
- Keeping records that can be provided to supervisory authorities on request.
- Ensure compliance with international data transfer rules.
- Subject to fines if their obligations are not met.
- Can be subject to claims from individuals.
A data processor is…
an organisation or individual that processes information on behalf of the data controller. (No decision making autonomy. Cannot do anything with the data unless instructed by the controller. )
‘natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’
Obligations:
- Accountability.
- Keeping records that can be provided to supervisory authorities on request.
- Notifying of data breaches.
- Appointing a DPO if necessary.
- Ensure compliance with international data transfer rules.
- Subject to fines if their obligations are not met.
- Can be subject to claims from individuals.
- Activities must be transparent to the controller.
- Any decisions must rely on approval from the controller.
The supervisory authority (SA) is…
also known as the data protection authority (DPA), an entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
Controller vs. processor
Both controller and processor can be legally responsible for breaches in the law.
Controller has more obligations than the processor does.
Roles are specific to processing operation. Thus a person or organisation may be a controller for one processing operation whilst being a processor for another.
